Fix memory allocation failure handling in EAP-TTLS/MSCHAPv2 server

If the os_malloc() call for the User-Name value fails in EAP-TTLS server, the inner MSCHAPv2 processing could have tried to dereference a NULL pointer. Avoid this by handling this cleanly as an internal error and reject the authentication attempt. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
2012-08-19 17:23:00 +03:00 · 2012-08-19 17:23:00 +03:00 · a2f94dbe62
commit a2f94dbe62
parent 44ec48ebfd
1 changed files with 12 additions and 4 deletions
--- a/src/eap_server/eap_server_ttls.c
+++ b/src/eap_server/eap_server_ttls.c
@ -674,6 +674,13 @@ static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
 		return;
 	}

+	if (sm->identity == NULL) {
+		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity "
+			   "known");
+		eap_ttls_state(data, FAILURE);
+		return;
+	}
+
 	/* MSCHAPv2 does not include optional domain name in the
 	 * challenge-response calculation, so remove domain prefix
 	 * (if present). */
@ -979,11 +986,12 @@ static void eap_ttls_process_phase2(struct eap_sm *sm,
 	if (parse.user_name) {
 		os_free(sm->identity);
 		sm->identity = os_malloc(parse.user_name_len);
-		if (sm->identity) {
-			os_memcpy(sm->identity, parse.user_name,
-				  parse.user_name_len);
-			sm->identity_len = parse.user_name_len;
+		if (sm->identity == NULL) {
+			eap_ttls_state(data, FAILURE);
+			goto done;
 		}
+		os_memcpy(sm->identity, parse.user_name, parse.user_name_len);
+		sm->identity_len = parse.user_name_len;
 		if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
 		    != 0) {
 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "